Unternavigationspunkte

Unternavigationspunkte

The German Country Signing Certificate Authority (CSCA)

This website contains information on the German CSCA operated by the Federal Office for Information Security (BSI).

The distinguished name of the CSCA is C=DE, O=bund, OU=bsi, CN=csca-germany.

CSCA Public Key Certificates

The CSCA uses two types of key pairs: a main key pair and a number of backup key pairs. The main key pair is used to issue Document Signer certificates. Backup key pairs are only used for disaster-recovery, i.e. in the unlikely case that the main key pair becomes unusable, the first backup key pair will become the new main key pair etc.

DER encoded certificates for the CSCA public keys can be found below. The information required to verify the authenticity of the following certificates is also available in authentic printed form upon request.

Certificate Rollover

The next rollover of the CSCA certificate is planned for 2019.

Main Public Key Certificate (Certificate 08/2016)

The current main public key is available as self-signed certificate, and as link certificate, verifiable by the previous public key (i.e. with relative distinguished name SN=101).

The public key has the relative distinguished name SN=103 and the SHA-1 fingerprint 1B:C7:50:B1:47:A7:55:FA:2F:25:79:20:6E:55:D2:2F:E2:E4:27:9E.

Communication with the CSCA

The primary communication channel with the CSCA is email csca-germany@bsi.bund.de.
You can also encrypt your messages to the specified email address S/MIME Zertifikat. The addresses for the primary communication channel is indicated in the SubjectAlternativeName extension of the certificates. The secondary communication channel is fax: +49228 9582 5722.

Incoming Information

The information the CSCA is prepared to receive includes, but is not limited to, CSCA link certificates, CRLs and Certification Requests. All received information will be acknowledged.

Outgoing Information

The information the CSCA sends out includes, but is not limited to, DS certificates, CRLs and notifications after backup key activation.

Unless a communication channel with a relying party is already established (e.g. the email address is known from the SubjectAlternativeName extension contained in a CSCA certificate) registration with the CSCA is required to receive such information. The registration should include at least an email address and a proof of origin.